New software bug could be bigger than Heartbleed

By Edd Gent

Published Thursday, September 25, 2014

A security bug in a widely used piece of software dubbed ‘Shellshock’ could pose a bigger threat to computer users than the infamous ‘Heartbleed’ bug.

The fault is found in the Bash shell – software used to control the command prompt on many Unix-based operating systems including Linux and Apple Inc's Mac OS X – and allows hackers to take complete control of a targeted system, security experts said.

The Department of Homeland Security's United States Computer Emergency Readiness Team, or US-CERT, issued an alert about the flaw advising computer users to obtain operating systems updates from software makers.

This is the second major vulnerability in a widely used piece of technology this year following on from the Heartbleed bug, which caused widespread panic in April. But while the Heartbleed bug merely allowed hackers to access data on secure systems, according to chief executive of cyber-security firm Trail of Bits Dan Guido, Shellshock could let them take control.

"The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results,” he said.

Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned the bug, which is also known as the 'Bash Bug' was rated a "10" for severity, meaning it has maximum impact, and rated "low" for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, etc," Beardsley said. "Anybody with systems using Bash needs to deploy the patch immediately."

Linux providers including Red Hat, which first revealed the vulnerability, have already prepared patches, but Apple representatives could not be reached to confirm whether there was a patch of OS X yet.

Tavis Ormandy, a Google security researcher, said via Twitter that the patches seemed "incomplete". Ormandy could not be reached to elaborate, but several security experts said a brief technical comment provided on Twitter raised concerns.

"That means some systems could be exploited even though they are patched," said Chris Wysopal, chief technology officer with security software maker Veracode.

He said corporate security teams had spent the day combing their networks to find vulnerable machines and patch them, and they would likely be taking other precautions to mitigate the potential for attacks in case the patches proved ineffective.

"Everybody is scrambling to patch all of their Internet-facing Linux machines. That is what we did at Veracode today," he said. "It could take a long time to get that done for very large organisations with complex networks."

The Bash shell is produced by the non-profit Free Software Foundation. Officials with that group could not be reached for comment.